Re: Apple Safari on MacOSX may reveal user's saved passwords

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords
From: "stephen joseph butler" <stephen.butler@xxxxxxxxx>
Date: Wed, 16 May 2007 10:53:18 -0500
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nZrhfZtKt+lqnnFxuKGD3HLehPetTU6SE1vO3kGkmMs2oc+ZZRCyhD0TIaqihecyBzkRU/8N2XHj0Mg9ifKItYkusdFkLtTF5dWu/deRSpJ9u1m8xiT6EAkiPZOdxIKC62T+D/Y2YUB4SMS5gMXWPWi+k+eklTRjw0HwIFs9REo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cTnjldrrhwIgAr7dHNVCAF9pIJn1ZIeAp06vY2KjkB2Aq1yBCTUkApFkxjaVouvE19FuiOnDpP4f3RLKA9wI2dYc35b4/GHEgg2OC1viod9Zooj81HBsVO1s1R9EHi3231LlFrMkb5JaXwil1F/3KeaYCZcI7DrGYCoOQljrwxU=
In-reply-to: <9C42FC220D17D6458C7296A12006F887904C8C@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070514135053.31019.qmail@xxxxxxxxxxxxxxxxx> <9C42FC220D17D6458C7296A12006F887904C8C@xxxxxxxxxxxxxxxxxxxxxx>

On 5/14/07, Lucas, Mark J. <mjlucas@xxxxxxxxxxx> wrote:

If I'm reading this correctly, there has to be a malicious user at the
console of a logged in computer (or connected in some other
authenticated way).  If I have a malicious user at my console logged in
as me, I've got more problems than web form passwords being revealed.

Am I reading this incorrectly?


No, you're right. Part of the point is that Safari is reading these
passwords from Keychain. And the whole point of Keychain is preventing
unauthorized programs from getting at the datastore. If a rogue
program asked for these passwords directly, then Keychain would
present a dialog alerting the user. But as the applescript shows, the
program can get Safari to essentially act on its behalf.

References:
- Apple Safari on MacOSX may reveal user's saved passwords
  - From: poplix
- RE: Apple Safari on MacOSX may reveal user's saved passwords
  - From: Lucas, Mark J.

Prev by Date: Re: Defeating Citibank Virtual Keyboard protection using screenshot method
Next by Date: Re: Apple Safari on MacOSX may reveal user's saved passwords
Previous by thread: RE: Apple Safari on MacOSX may reveal user's saved passwords
Next by thread: RE: Apple Safari on MacOSX may reveal user's saved passwords
Index(es):
- Date
- Thread